Fixes

danog · danog · commit d9de7987634f · 2025-06-17T14:17:00.000+02:00
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -3510,6 +3510,7 @@ static void tracked_free_all(zend_mm_heap *heap) {
 static void* poison_malloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
 	zend_mm_heap *heap = AG(mm_heap);
+	ZEND_MM_UNPOISON_HEAP(heap);
 
 	if (SIZE_MAX - heap->debug.padding * 2 < size) {
 		zend_mm_panic("Integer overflow in memory allocation");
@@ -3529,12 +3530,14 @@ static void* poison_malloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 		ZEND_MM_UNPOISON(ptr, size);
 	}
 
+	ZEND_MM_POISON_HEAP(heap);
 	return ptr;
 }
 
 static void poison_free(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
 	zend_mm_heap *heap = AG(mm_heap);
+	ZEND_MM_UNPOISON_HEAP(heap);
 
 	if (EXPECTED(ptr)) {
 		/* zend_mm_shutdown() will try to free the heap when custom handlers
@@ -3555,6 +3558,7 @@ static void poison_free(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 	}
 
 	zend_mm_free_heap(heap, ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+	ZEND_MM_POISON_HEAP(heap);
 }
 
 static void* poison_realloc(void *ptr, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
@@ -3563,6 +3567,7 @@ static void* poison_realloc(void *ptr, size_t size ZEND_FILE_LINE_DC ZEND_FILE_L
 
 	void *new = poison_malloc(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 
+	ZEND_MM_UNPOISON_HEAP(heap);
 	if (ptr) {
 	    /* Determine the size of the old allocation from the unpadded pointer. */
 		size_t oldsize = zend_mm_size(heap, (char*)ptr - heap->debug.padding ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
@@ -3578,13 +3583,15 @@ static void* poison_realloc(void *ptr, size_t size ZEND_FILE_LINE_DC ZEND_FILE_L
 		memcpy(new, ptr, MIN(oldsize, size));
 		poison_free(ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 	}
+	ZEND_MM_POISON_HEAP(heap);
 
 	return new;
 }
 
 static size_t poison_gc(void)
 {
 	zend_mm_heap *heap = AG(mm_heap);
+	ZEND_MM_UNPOISON_HEAP(heap);
 
 	void* (*_malloc)(size_t ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
 	void  (*_free)(void* ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
@@ -3598,7 +3605,8 @@ static size_t poison_gc(void)
 	size_t collected = _zend_mm_gc(heap);
 
 	_zend_mm_set_custom_handlers_ex(heap, _malloc, _free, _realloc, _gc, _shutdown);
-
+	
+	ZEND_MM_POISON_HEAP(heap);
 	return collected;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3510,6 +3510,7 @@ static void tracked_free_all(zend_mm_heap *heap) {`
`3510`	`3510`	`static void* poison_malloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)`
`3511`	`3511`	`{`
`3512`	`3512`	`zend_mm_heap *heap = AG(mm_heap);`
	`3513`	`+ ZEND_MM_UNPOISON_HEAP(heap);`
`3513`	`3514`
`3514`	`3515`	`if (SIZE_MAX - heap->debug.padding * 2 < size) {`
`3515`	`3516`	`zend_mm_panic("Integer overflow in memory allocation");`
`@@ -3529,12 +3530,14 @@ static void* poison_malloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)`
`3529`	`3530`	`ZEND_MM_UNPOISON(ptr, size);`
`3530`	`3531`	`}`
`3531`	`3532`
	`3533`	`+ ZEND_MM_POISON_HEAP(heap);`
`3532`	`3534`	`return ptr;`
`3533`	`3535`	`}`
`3534`	`3536`
`3535`	`3537`	`static void poison_free(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)`
`3536`	`3538`	`{`
`3537`	`3539`	`zend_mm_heap *heap = AG(mm_heap);`
	`3540`	`+ ZEND_MM_UNPOISON_HEAP(heap);`
`3538`	`3541`
`3539`	`3542`	`if (EXPECTED(ptr)) {`
`3540`	`3543`	`/* zend_mm_shutdown() will try to free the heap when custom handlers`
`@@ -3555,6 +3558,7 @@ static void poison_free(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)`
`3555`	`3558`	`}`
`3556`	`3559`
`3557`	`3560`	`zend_mm_free_heap(heap, ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);`
	`3561`	`+ ZEND_MM_POISON_HEAP(heap);`
`3558`	`3562`	`}`
`3559`	`3563`
`3560`	`3564`	`static void* poison_realloc(void *ptr, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)`
`@@ -3563,6 +3567,7 @@ static void* poison_realloc(void *ptr, size_t size ZEND_FILE_LINE_DC ZEND_FILE_L`
`3563`	`3567`
`3564`	`3568`	`void *new = poison_malloc(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);`
`3565`	`3569`
	`3570`	`+ ZEND_MM_UNPOISON_HEAP(heap);`
`3566`	`3571`	`if (ptr) {`
`3567`	`3572`	`/* Determine the size of the old allocation from the unpadded pointer. */`
`3568`	`3573`	`size_t oldsize = zend_mm_size(heap, (char*)ptr - heap->debug.padding ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);`
`@@ -3578,13 +3583,15 @@ static void* poison_realloc(void *ptr, size_t size ZEND_FILE_LINE_DC ZEND_FILE_L`
`3578`	`3583`	`memcpy(new, ptr, MIN(oldsize, size));`
`3579`	`3584`	`poison_free(ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);`
`3580`	`3585`	`}`
	`3586`	`+ ZEND_MM_POISON_HEAP(heap);`
`3581`	`3587`
`3582`	`3588`	`return new;`
`3583`	`3589`	`}`
`3584`	`3590`
`3585`	`3591`	`static size_t poison_gc(void)`
`3586`	`3592`	`{`
`3587`	`3593`	`zend_mm_heap *heap = AG(mm_heap);`
	`3594`	`+ ZEND_MM_UNPOISON_HEAP(heap);`
`3588`	`3595`
`3589`	`3596`	`void* (*_malloc)(size_t ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);`
`3590`	`3597`	`void (_free)(void ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);`
`@@ -3598,7 +3605,8 @@ static size_t poison_gc(void)`
`3598`	`3605`	`size_t collected = _zend_mm_gc(heap);`
`3599`	`3606`
`3600`	`3607`	`_zend_mm_set_custom_handlers_ex(heap, _malloc, _free, _realloc, _gc, _shutdown);`
`3601`		`-`
	`3608`	`+`
	`3609`	`+ ZEND_MM_POISON_HEAP(heap);`
`3602`	`3610`	`return collected;`
`3603`	`3611`	`}`
`3604`	`3612`